On Tue, 2007-10-30 at 09:10 -0500, Larry Garfield wrote: > On Tuesday 30 October 2007, Per Jessen wrote: > > Larry Garfield wrote: > > > Here's a bigger question: When will people stop using mysql_ as their > > > example API, when PDO is more standard in PHP 5 and more secure, and > > > mysqli is available as well? > > > > As always, the key question must be - what's the advantage of moving? > > When the developer benefits from something being "more standard" and > > more secure, then he'll change. > > If you want to force someone to change, you remove the interface (after > > having marked it deprecated for a while). > > encouraging the use of prepared statements is up there with discouraging the That's not true at all. If it were then mysqli_real_escape_string() would have a warning about its use. I looked. There was no warning. Nothing wrong with NOT using prepared statements... you just have to be careful to filter/escape properly. You have to be careful about doing that stuff anyways since the "magic" prepared statement won't help you when you start running shell commands via user input. So you may as well just get in the habit of knowing what you're doing instead of waving your hands in the air and hoping PHP, PDO, magic_quotes, etc, etc will save you. Cheers, Rob. -- ........................................................... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ........................................................... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
